Incident Response Plan based on Indicators of Compromise

6. The system of claim 5, wherein the IM application further comprises an inference engine that: identifies one or more incident objects associated with the common IOCs or common groupings of IOCs as a set of correlated incident objects; determines whether there are any common incident characteristics among the set of correlated incident objects; and sends the common incident characteristics to the rules engine, wherein the rules engine determines the tasks for each incident object based upon the one or more IOCs associated with each incident object in response to receiving the common incident characteristics from the inference engine.

7. The system of claim 5, wherein the IM application includes a statistical analysis algorithm, and wherein the inference engine downloads the statistical analysis algorithm from the IM application and applies the statistical analysis algorithm to the set of correlated incident objects to determine whether there are any common incident characteristics among the set of correlated incident objects.

8. The system of claim 5, further comprising a Security Information and Event Manager (SIEM) that includes the incident characteristics of the incident object and the one or more IOCs associated with the incident object within a message, and sends the message to the IM application, and wherein the IM application creates the incident object, the incident characteristic of the incident object, and the IOCs associated with the incident object in response to receiving the message.

9. The system of claim 5, wherein types of the IOCs associated with the incident object include Internet Protocol (IP) addresses, hashes associated with malware, domain names, names of files, user accounts, registry keys, email addresses, and/or protocol port numbers.

10. The system of claim 5, wherein the incident characteristic included within the incident object include an incident type, data compromise status information, data exposure status information, and time/date of incident occurrence.

11. The system of claim 5, wherein the IM application receives updates to the tasks from a security analyst, and updates the incident response plans for the data security incidents to include the updated tasks from the security analyst.